Usability: Permissions are confusing

I just spent about 20 minutes trying to work out permissions weirdness, so bumping version and status - be nice to get this fixed up before a final release.

So - if you set the add/remove link in a nodequeue to a role via the checkbox, it only shows up if the user has "manipulate queues" permission. Although I haven't yet checked all variations. This is what I thought would happen:

1. any role where the checkbox is checked gets the links if set
2. any role with "manipulate all queues" permission gets the tabs, and the links if checked for their role
3. "manipulate queues" ??? probably access to tabs but to be honest I completely ignored it when initially setting up the module, and didn't think to look back there before I thought the checkboxes would work.

This is what I think actually happens so far, although it's probably still slightly wrong

1. Any role with manipulate queues gets the links and tab if they have the checkbox checked
2. The checkbox has no effect at all if a role doesn't have 'manipulate queues' permission (this is what confused me)
2. manipulate all queues gets all tabs, and links whatever happens

Ideally:

1. checkbox-per-role gives you access to the links
2. checkbox per role gives you access to the tabs - probably this would be set in the same place as the links permissions - on the nodequeue edit page
3. manipulate all queues/administer queues gives you everything all the time
4. 'manipulate queues' disappears because the above behaviour makes it redundant.

'manipulate queues' exists as a performance saver.

If a role doesn't have manipulate queues, then the query for the tab doesn't need to be run.

I am marking #264415: Role selection for nodequeue manipulation ignores "manipulate all queues" permission as a duplicate of this, since it describes a solution to this problem;

Quoting dww:

When you add or edit a nodequeue, you can select what roles are allowed to manipulate that queue. Unfortunately, this UI doesn't consider roles with "manipulate all queues" permissions. A few options:

A) Clarify this in the help text with something like "Note, roles with manipulate all queues permission will always be able to manipulate this queue, so they are not listed".

B) Put such roles into the UI with selected checkboxes which are disabled, with a note much like the one above, only "... so you can not prevent those roles from manipulating this queue unless you remove that permission first." (or something). This is slightly more self-evident UI, but will be more work.

I'm happy to work on a patch. In IRC, we decided (A) was probably good enough, but then Earl got excited about (B). So, I'm just awaiting marching-orders from Earl before I work on a patch. ;)

Earl/Merlinofchaos supported B. Please see #2 in the above mentioned issue for my thoughts on making this interface change account for Smartqueue modular access control

Sorry about the mail spam...

I came intending to submit #4 above as a bug... sub. I don't think it can count as critical after all this time, though.

Closed #1009478: "No roles" and "manipulate all queues" as a duplicate.

A good suggestion from that issue is to make the 'No roles have...' text more proeminent.

Attaching patches that implement option B) from #4.

Commited to 6.x and 7.x.

http://drupalcode.org/project/nodequeue.git/commit/294a050
http://drupalcode.org/project/nodequeue.git/commit/aee1a3e